diff --git a/.github/workflows/ado-workitems.yml b/.github/workflows/ado-workitems.yml new file mode 100644 index 00000000..cb03a5af --- /dev/null +++ b/.github/workflows/ado-workitems.yml @@ -0,0 +1,25 @@ +on: + workflow_dispatch: + +jobs: + import-policy-flaws: + runs-on: ubuntu-latest + steps: + + - name: import flaws as issues + uses: julz0815/ado-workitems-action@api_and_close + with: + ado-token: ${{ secrets.ADO_PAT }} + ado-org: jtotzek + ado-project: MeijerTest + work-item-type: Bug + area-path: "MeijerTest" + iteration-path: "MeijerTest" + open-state: New + close-state: Closed + repopen-state: New + veracode-api-id: ${{ secrets.VID }} + veracode-api-key: ${{ secrets.VKEY }} + veracode-app-profile: "test-action" + scan-type: "Static Analysis and SCA" + import-type: "All Unmitigated Flaws Violating Policy" diff --git a/.github/workflows/backgroundnotifier.yml b/.github/workflows/backgroundnotifier.yml new file mode 100644 index 00000000..19b14cac --- /dev/null +++ b/.github/workflows/backgroundnotifier.yml @@ -0,0 +1,68 @@ +on: +# pull_request: +# branches: [main] + workflow_dispatch: + + + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-java@v3 + with: + distribution: 'zulu' + java-version: 8 + - name: Cache Maven packages + uses: actions/cache@v3 + with: + path: ~/.m2 + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + - name: Build with Maven + run: mvn clean package + + - uses: actions/upload-artifact@v4 + with: + name: verademo.war + path: target/verademo.war + + pipeline_scan: + needs: build + runs-on: ubuntu-latest + name: pipeline scan + steps: + - name: Background timer notifier + run: | + ( + i=0 + while true; do + i=$((i+1)) + curl -X POST -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/repos/${{ github.repository }}/issues/1/comments \ + -d "{\"body\":\"⏱️ Job running for $((i * 1)) minutes...\"}" + sleep 60 + done + ) & + - name: checkout repo + uses: actions/checkout@v3 + + - name: get archive + uses: actions/download-artifact@v4 + with: + name: verademo.war + - name: pipeline-scan action step + id: pipelien-scan + uses: veracode/Veracode-pipeline-scan-action@v1.0.18 + with: + vid: ${{ secrets.VID }} + vkey: ${{ secrets.VKEY }} + #file: "auth.js.zip" + file: "verademo.war" + request_policy: "VeraDemo Policy" + #store_baseline_file: true + #store_baseline_file_branch: "feature-123" + #create_baseline_from: "standard" + debug: 1 + fail_build: false diff --git a/.github/workflows/containerscan.yml b/.github/workflows/containerscan.yml index 0f272d3a..f52db070 100644 --- a/.github/workflows/containerscan.yml +++ b/.github/workflows/containerscan.yml @@ -13,10 +13,10 @@ jobs: steps: - name: checkout uses: actions/checkout@v2 - + - name: container-scan action step id: container-scan - uses: veracode/container_iac_secrets_scanning@v1.0.1 + uses: veracode/container_iac_secrets_scanning@addPolicySupport with: vid: ${{ secrets.VID }} vkey: ${{ secrets.VKEY }} @@ -26,3 +26,4 @@ jobs: format: "json" debug: true fail_build: true + policy: "Container/IaC/Secrets" diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml new file mode 100644 index 00000000..95801d02 --- /dev/null +++ b/.github/workflows/dast.yml @@ -0,0 +1,17 @@ +on: + workflow_dispatch: + +name: Veracode DAST + +jobs: + Submit-DAST-Scan: + runs-on: ubuntu-latest + steps: + - name: Submit Veracode DAST Scan + uses: veracode/veracode-dast-action@resultsToIssues + with: + vid: ${{ secrets.VID }} + vkey: ${{ secrets.VKEY }} + action_type: load-results + profile_name: "Verademo API" + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/importflaws.yml b/.github/workflows/importflaws.yml index eca816f4..fbf32632 100644 --- a/.github/workflows/importflaws.yml +++ b/.github/workflows/importflaws.yml @@ -6,27 +6,75 @@ on: # - feature-123 jobs: - get-policy-flaws: - runs-on: ubuntu-latest - container: - image: veracode/api-signing:latest - steps: - - name: get policy flaws - run: | - cd /tmp - export VERACODE_API_KEY_ID=${{ secrets.VID }} - export VERACODE_API_KEY_SECRET=${{ secrets.VKEY }} - guid=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v1/applications?name=test-action" | jq -r '._embedded.applications[0].guid') - echo GUID: ${guid} - total_flaws=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True" | jq -r '.page.total_elements') - echo TOTAL_FLAWS: ${total_flaws} - http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True&size=${total_flaws}" > policy_flaws.json +# build: +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@v3 +# - uses: actions/setup-java@v3 +# with: +# distribution: 'zulu' +# java-version: 8 +## - name: Cache Maven packages +## uses: actions/cache@v3 +## with: +## path: ~/.m2 +## key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} +# - name: Build with Maven +# run: mvn clean package - - name: save results file - uses: actions/upload-artifact@v3 - with: - name: policy-flaws - path: /tmp/policy_flaws.json +# - uses: actions/upload-artifact@v4 +# with: +# name: verademo.war +# path: target/verademo.war + +# pipeline_scan: +# needs: build +# runs-on: ubuntu-latest +# name: pipeline scan +# steps: +# - name: checkout repo +# uses: actions/checkout@v3 + +# - name: get archive +# uses: actions/download-artifact@v4 +# with: +# name: verademo.war +# - name: pipeline-scan action step +# id: pipelien-scan +# uses: veracode/Veracode-pipeline-scan-action@esd-true +# with: +# vid: ${{ secrets.VID }} +# vkey: ${{ secrets.VKEY }} +# file: "verademo.war" +# request_policy: "VeraDemo Policy" +# debug: 1 +# fail_build: true + + + +# get-policy-flaws: +# runs-on: ubuntu-latest +# continue-on-error: true +# container: +# image: veracode/api-signing:latest +# steps: +# - name: get policy flaws +# run: | +# cd /tmp +# export VERACODE_API_KEY_ID=${{ secrets.VID }} +# export VERACODE_API_KEY_SECRET=${{ secrets.VKEY }} +# guid=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v1/applications?name=test-app1" | jq -r '._embedded.applications[0].guid') +# echo GUID: ${guid} +# total_flaws=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True&include_annot=TRUE" | jq -r '.page.total_elements') +# echo TOTAL_FLAWS: ${total_flaws} +# http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True&size=${total_flaws}&include_annot=TRUE" > policy_flaws.json + +# - name: save results file +# uses: actions/upload-artifact@v4 +# with: +# name: policy-flaws +# path: /tmp/policy_flaws.json + # results_to_security_tab: # needs: get-policy-flaws @@ -51,19 +99,37 @@ jobs: # source_base_path_2: "WEB-INF:src/main/webapp/WEB-INF" import-policy-flaws: - needs: get-policy-flaws +# needs: get-policy-flaws runs-on: ubuntu-latest +# if: always() steps: - - name: get flaw file - uses: actions/download-artifact@v3 - with: - name: policy-flaws - path: /tmp +# - uses: actions/checkout@v3 +# - name: get flaw file +# uses: actions/download-artifact@v4 +# with: +# name: policy-flaws +# path: /tmp + + #- name: Show folder + # run: | + # ls -laR /tmp - name: import flaws as issues - uses: veracode/veracode-flaws-to-issues@FixEmptyResults + uses: veracode/veracode-flaws-to-issues@ADO_workitems with: + dts_type: ADO + ADO_PAT: ${{ secrets.ADO_PAT }} + ADO_ORG: jtotzek + ADO_PROJECT: MeijerTest + ADO_WORK_ITEM_TYPE: Bug + ADO_OPEN_STATE: New + ADO_CLOSE_STATE: Closed + ADO_REOPEN_STATE: New scan-results-json: '/tmp/policy_flaws.json' -# debug: true - source_base_path_1: "com/:src/main/java/com/" - source_base_path_2: "WEB-INF:src/main/webapp/WEB-INF" + veracode-api-id: ${{ secrets.VID }} + veracode-api-key: ${{ secrets.VKEY }} + profile-name: "julian-veracode/python-test-repo" + #sandbox-name: "Feature123" + include-sca: true + autoCloseFindings: true + debug: true diff --git a/.github/workflows/pipelinescan.yaml b/.github/workflows/pipelinescan.yaml index f116430a..bc72d90a 100644 --- a/.github/workflows/pipelinescan.yaml +++ b/.github/workflows/pipelinescan.yaml @@ -22,7 +22,7 @@ jobs: - name: Build with Maven run: mvn clean package - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: verademo.war path: target/verademo.war @@ -36,12 +36,12 @@ jobs: uses: actions/checkout@v3 - name: get archive - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: verademo.war - name: pipeline-scan action step id: pipelien-scan - uses: veracode/Veracode-pipeline-scan-action@v1.0.12 + uses: veracode/Veracode-pipeline-scan-action@v1.0.18 with: vid: ${{ secrets.VID }} vkey: ${{ secrets.VKEY }} @@ -54,27 +54,27 @@ jobs: debug: 1 fail_build: false - results_to_sarif: - needs: pipeline_scan - runs-on: ubuntu-latest - name: import pipeline results to sarif - steps: - - name: get flaw file - uses: actions/download-artifact@v2 - with: - name: Veracode Pipeline-Scan Results - - name: Convert pipeline scan output to SARIF format - id: convert - uses: Veracode/veracode-pipeline-scan-results-to-sarif@support-saf-scanners - #uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.6 - with: - pipeline-results-json: results.json - output-results-sarif: veracode-results.sarif +# results_to_sarif: +# needs: pipeline_scan +# runs-on: ubuntu-latest +# name: import pipeline results to sarif +# steps: +# - name: get flaw file +# uses: actions/download-artifact@v2 +# with: +# name: Veracode Pipeline-Scan Results +# - name: Convert pipeline scan output to SARIF format +# id: convert +# uses: Veracode/veracode-pipeline-scan-results-to-sarif@support-saf-scanners +# #uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.6 +# with: +# pipeline-results-json: results.json +# output-results-sarif: veracode-results.sari - - name: upload sarif file to repository - uses: github/codeql-action/upload-sarif@v2 - with: # Path to SARIF file relative to the root of the repository - sarif_file: veracode-results.sarif +# - name: upload sarif file to repository +# uses: github/codeql-action/upload-sarif@v2 +# with: # Path to SARIF file relative to the root of the repository +# sarif_file: veracode-results.sarif # This step will import flaws from the step above import-pipeline-flaws: @@ -82,13 +82,14 @@ jobs: runs-on: ubuntu-latest steps: - name: get flaw file - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v4 with: - name: Veracode Pipeline-Scan Results + #name: Veracode Pipeline-Scan Results - path: /tmp - name: import flaws as issues - uses: veracode/veracode-flaws-to-issues@v2.1.18 + uses: veracode/veracode-flaws-to-issues@closeIssues with: - scan-results-json: '/tmp/filtered_results.json' + scan-results-json: '/tmp/Veracode Pipeline-Scan Results - /filtered_results.json' + debug: true diff --git a/.github/workflows/policyscan.yml b/.github/workflows/policyscan.yml index 11f34ef6..f0064fb3 100644 --- a/.github/workflows/policyscan.yml +++ b/.github/workflows/policyscan.yml @@ -20,7 +20,7 @@ jobs: - name: Build with Maven run: mvn clean package - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: verademo.war path: target/verademo.war @@ -34,62 +34,62 @@ jobs: - name: checkout repo uses: actions/checkout@v3 - name: get archive - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: verademo.war - name: policye-scan action step id: policy-scan - uses: veracode/veracode-uploadandscan-action@0.2.6 + uses: veracode/veracode-uploadandscan-action@rewriteToTS #julz0815/Veracode-pipeline-scan-action@beta-0.29 with: - appname: github-uploadandscan + appname: julz0815/test-action createprofile: true policy: 'Verademo Policy' version: '${{ github.run_id }}' - filepath: verademo.war + filepath: ./target/ vid: '${{ secrets.VID }}' vkey: '${{ secrets.VKEY }}' scantimeout: 15 deleteincompletescan: true failbuild: false - - name: get policy flaws - run: | - cd /tmp - export VERACODE_API_KEY_ID=${{ secrets.VERACODE_API_ID }} - export VERACODE_API_KEY_SECRET=${{ secrets.VERACODE_API_KEY }} - guid=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v1/applications?name=github-uploadandscan" | jq -r '._embedded.applications[0].guid') - echo GUID: ${guid} - total_flaws=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True" | jq -r '.page.total_elements') - echo TOTAL_FLAWS: ${total_flaws} - http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True&size=${total_flaws}" > policy_flaws.json +# - name: get policy flaws +# run: | +# cd /tmp +# export VERACODE_API_KEY_ID=${{ secrets.VERACODE_API_ID }} +# export VERACODE_API_KEY_SECRET=${{ secrets.VERACODE_API_KEY }} +# guid=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v1/applications?name=github-uploadandscan" | jq -r '._embedded.applications[0].guid') +# echo GUID: ${guid} +# total_flaws=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True" | jq -r '.page.total_elements') +# echo TOTAL_FLAWS: ${total_flaws} +# http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True&size=${total_flaws}" > policy_flaws.json - - name: save results file - uses: actions/upload-artifact@v3 - with: - name: policy-flaws - path: /tmp/policy_flaws.json +# - name: save results file +# uses: actions/upload-artifact@v3 +# with: +# name: policy-flaws +# path: /tmp/policy_flaws.json - results_to_security_tab: - needs: policy_scan - runs-on: ubuntu-latest - #if: ${{ failure() && inputs.enable_security_report }} - if: always() - name: Send policy scan report to Security tab - steps: - - name: Get scan results - uses: actions/download-artifact@v3 - with: - name: policy-flaws - path: /tmp - - name: show folders - run: | - ls -laR - - name: Convert policy scan output to SARIF format - id: convert - uses: Veracode/veracode-pipeline-scan-results-to-sarif@feature/DXS_254 - with: - scan-type: policy - results-json: '/tmp/tmp/policy_flaws.json' - output-results-sarif: veracode-results.sarif - githubToken: ${{ inputs.token }} +# results_to_security_tab: +# needs: policy_scan +# runs-on: ubuntu-latest +# #if: ${{ failure() && inputs.enable_security_report }} +# if: always() +# name: Send policy scan report to Security tab +# steps: +# - name: Get scan results +# uses: actions/download-artifact@v3 +# with: +# name: policy-flaws +# path: /tmp +# - name: show folders +# run: | +# ls -laR +# - name: Convert policy scan output to SARIF format +# id: convert +# uses: Veracode/veracode-pipeline-scan-results-to-sarif@feature/DXS_254 +# with: +# scan-type: policy +# results-json: '/tmp/tmp/policy_flaws.json' +# output-results-sarif: veracode-results.sarif +# githubToken: ${{ inputs.token }} diff --git a/.github/workflows/policyscan2.yml b/.github/workflows/policyscan2.yml new file mode 100644 index 00000000..fd249e4d --- /dev/null +++ b/.github/workflows/policyscan2.yml @@ -0,0 +1,25 @@ +on: +# pull_request: +# branches: [main] + workflow_dispatch: + +jobs: + policy_scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Veracode Upload and Scan Action Step + uses: veracode/uploadandscan-action@v0.1.9 + id: upload_and_scan + with: + appname: 'heeloworld' + createprofile: true + policy: 'Only VH flaws' + version: 'new' + filepath: helloworld-2.0.jar + vid: '${{ secrets.VID }}' + vkey: '${{ secrets.VKEY }}' + scantimeout: 30 + failbuild: true + gitRepositoryUrl: 'https://github.com/julz0815/test-action' + deleteincompletescan: true diff --git a/.github/workflows/scascan.yml b/.github/workflows/scascan.yml index 7fc51d79..f81d226a 100644 --- a/.github/workflows/scascan.yml +++ b/.github/workflows/scascan.yml @@ -8,17 +8,74 @@ on: jobs: - veracode-sca-task: + veracode-sca-task1: runs-on: ubuntu-latest - name: Scan remote repository for Issues + name: Scan remote repository for Issues 1 steps: - name: Checkout uses: actions/checkout@v3 + - name: Run Veracode SCA + id: veracode-sca env: SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }} - uses: veracode/veracode-sca@noupload + uses: veracode/veracode-sca@output with: - no-upload: false - debug: true + create-issues: false + debug: true + - name: Display scan URL + run: | + echo "View detailed report at: ${{ steps.veracode-sca.outputs.scan-url }}" + + + + +# veracode-sca-task1: +# runs-on: ubuntu-latest +# name: Scan remote repository for Issues 1 + +# steps: +# - name: Checkout +# uses: actions/checkout@v3 +# - name: Run Veracode SCA +# env: +# SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }} +# uses: veracode/veracode-sca@artifactname +# with: +# create-issues: false +# artifactname: scan1 +# debug: true + +# veracode-sca-task2: +# runs-on: ubuntu-latest +# name: Scan remote repository for Issues 2 + +# steps: +# - name: Checkout +# uses: actions/checkout@v3 +# - name: Run Veracode SCA +# env: +# SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }} +# uses: veracode/veracode-sca@artifactname +# with: +# create-issues: false +# artifactname: scan2 +# debug: true + +# veracode-sca-task3: +# runs-on: ubuntu-latest +# name: Scan remote repository for Issues 3 + +# steps: +# - name: Checkout +# uses: actions/checkout@v3 +# - name: Run Veracode SCA +# env: +# SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }} +# uses: veracode/veracode-sca@artifactname +# with: +# create-issues: false +# artifactname: scan3 +# debug: true + diff --git a/resultsVH-H.json b/resultsVH-H.json new file mode 100644 index 00000000..80234842 --- /dev/null +++ b/resultsVH-H.json @@ -0,0 +1,765 @@ +{ + "_links": { + "root": { + "href": "/" + }, + "self": { + "href": "/scans/80ecac7e-dc19-4ea0-9122-dd10d247f89c/findings" + }, + "help": { + "href": "https://docs.veracode.com/" + } + }, + "scan_id": "80ecac7e-dc19-4ea0-9122-dd10d247f89c", + "scan_status": "SUCCESS", + "message": "Scan successful. Results size: 431723 bytes", + "modules": [ + "verademo.war", + "JS files within verademo.war" + ], + "modules_count": 2, + "findings": [ + { + "title": "java.lang.Runtime.exec", + "issue_id": 1197, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/ToolsController", + "gob": "B", + "severity": 5, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)", + "cwe_id": "78", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis call to java.lang.Runtime.exec() contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to exec() contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eValidate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a \"safe\" version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/78.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/Command_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/ToolsController.java", + "upload_file": "com/veracode/verademo/controller/ToolsController.java", + "line": 56, + "function_name": "ping", + "qualified_function_name": "com.veracode.verademo.controller.ToolsController.ping", + "function_prototype": "java.lang.String ping(java.lang.String)", + "scope": "com.veracode.verademo.controller.ToolsController" + } + }, + "flaw_match": { + "procedure_hash": "3149804519", + "prototype_hash": "2923252499", + "flaw_hash": "3051621651", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "221330682", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1487712924", + "cause_hash2_ordinal": "1" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/78.html" + }, + { + "title": "java.lang.Runtime.exec", + "issue_id": 1198, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/ToolsController", + "gob": "B", + "severity": 5, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)", + "cwe_id": "78", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis call to java.lang.Runtime.exec() contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to exec() contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eValidate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a \"safe\" version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/78.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/Command_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/ToolsController.java", + "upload_file": "com/veracode/verademo/controller/ToolsController.java", + "line": 59, + "function_name": "ping", + "qualified_function_name": "com.veracode.verademo.controller.ToolsController.ping", + "function_prototype": "java.lang.String ping(java.lang.String)", + "scope": "com.veracode.verademo.controller.ToolsController" + } + }, + "flaw_match": { + "procedure_hash": "3149804519", + "prototype_hash": "2923252499", + "flaw_hash": "1314945025", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "3320331067", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1835631409", + "cause_hash2_ordinal": "1" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/78.html" + }, + { + "title": "java.lang.Runtime.exec", + "issue_id": 1195, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/ToolsController", + "gob": "B", + "severity": 5, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)", + "cwe_id": "78", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis call to java.lang.Runtime.exec() contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to exec() contains tainted data from the variables (new String\\[...\\]). The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eValidate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a \"safe\" version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/78.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/Command_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/ToolsController.java", + "upload_file": "com/veracode/verademo/controller/ToolsController.java", + "line": 91, + "function_name": "fortune", + "qualified_function_name": "com.veracode.verademo.controller.ToolsController.fortune", + "function_prototype": "java.lang.String fortune(java.lang.String)", + "scope": "com.veracode.verademo.controller.ToolsController" + } + }, + "flaw_match": { + "procedure_hash": "2161030689", + "prototype_hash": "3827778930", + "flaw_hash": "3753823106", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "4165693487", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "3322588175", + "cause_hash2_ordinal": "1" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/78.html" + }, + { + "title": "java.lang.Runtime.exec", + "issue_id": 1196, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/ToolsController", + "gob": "B", + "severity": 5, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)", + "cwe_id": "78", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis call to java.lang.Runtime.exec() contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to exec() contains tainted data from the variable cmd. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eValidate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a \"safe\" version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/78.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/Command_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/ToolsController.java", + "upload_file": "com/veracode/verademo/controller/ToolsController.java", + "line": 94, + "function_name": "fortune", + "qualified_function_name": "com.veracode.verademo.controller.ToolsController.fortune", + "function_prototype": "java.lang.String fortune(java.lang.String)", + "scope": "com.veracode.verademo.controller.ToolsController" + } + }, + "flaw_match": { + "procedure_hash": "2161030689", + "prototype_hash": "3827778930", + "flaw_hash": "3707028537", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "2620704574", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "5" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/78.html" + }, + { + "title": "java.sql.Statement.executeQuery", + "issue_id": 1013, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/UserController", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/UserController.java", + "upload_file": "com/veracode/verademo/controller/UserController.java", + "line": 166, + "function_name": "processLogin", + "qualified_function_name": "com.veracode.verademo.controller.UserController.processLogin", + "function_prototype": "java.lang.String processLogin(@org.springframework.web.bind.annotation.RequestParam(value\u003d\u0027user\u0027, required\u003d1) java.lang.String,@org.springframework.web.bind.annotation.RequestParam(value\u003d\u0027password\u0027, required\u003d1) java.lang.String,@org.springframework.web.bind.annotation.RequestParam(value\u003d\u0027remember\u0027, required\u003d0) java.lang.String,@org.springframework.web.bind.annotation.RequestParam(value\u003d\u0027target\u0027, required\u003d0) java.lang.String, org.springframework.ui.Model, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)", + "scope": "com.veracode.verademo.controller.UserController" + } + }, + "flaw_match": { + "procedure_hash": "1665904725", + "prototype_hash": "839857025", + "flaw_hash": "3392777041", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "1176028798", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "5" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + }, + { + "title": "java.sql.Statement.executeQuery", + "issue_id": 1015, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/UserController", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/UserController.java", + "upload_file": "com/veracode/verademo/controller/UserController.java", + "line": 251, + "function_name": "showPasswordHint", + "qualified_function_name": "com.veracode.verademo.controller.UserController.showPasswordHint", + "function_prototype": "java.lang.String showPasswordHint(java.lang.String)", + "scope": "com.veracode.verademo.controller.UserController" + } + }, + "flaw_match": { + "procedure_hash": "14368270", + "prototype_hash": "649289062", + "flaw_hash": "3392777041", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "1176028798", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "5" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + }, + { + "title": "java.sql.Statement.executeQuery", + "issue_id": 1014, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/UserController", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/UserController.java", + "upload_file": "com/veracode/verademo/controller/UserController.java", + "line": 316, + "function_name": "processRegister", + "qualified_function_name": "com.veracode.verademo.controller.UserController.processRegister", + "function_prototype": "java.lang.String processRegister(@org.springframework.web.bind.annotation.RequestParam(value\u003d\u0027user\u0027) java.lang.String, javax.servlet.http.HttpServletRequest, org.springframework.ui.Model)", + "scope": "com.veracode.verademo.controller.UserController" + } + }, + "flaw_match": { + "procedure_hash": "3365427062", + "prototype_hash": "2646652268", + "flaw_hash": "3392777041", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "1176028798", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "5" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + }, + { + "title": "java.sql.Statement.execute", + "issue_id": 1008, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/UserController", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/UserController.java", + "upload_file": "com/veracode/verademo/controller/UserController.java", + "line": 384, + "function_name": "processRegisterFinish", + "qualified_function_name": "com.veracode.verademo.controller.UserController.processRegisterFinish", + "function_prototype": "java.lang.String processRegisterFinish(@org.springframework.web.bind.annotation.RequestParam(value\u003d\u0027password\u0027, required\u003d1) java.lang.String,@org.springframework.web.bind.annotation.RequestParam(value\u003d\u0027cpassword\u0027, required\u003d1) java.lang.String,@org.springframework.web.bind.annotation.RequestParam(value\u003d\u0027realName\u0027, required\u003d1) java.lang.String,@org.springframework.web.bind.annotation.RequestParam(value\u003d\u0027blabName\u0027, required\u003d1) java.lang.String, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.springframework.ui.Model)", + "scope": "com.veracode.verademo.controller.UserController" + } + }, + "flaw_match": { + "procedure_hash": "1551041351", + "prototype_hash": "992078440", + "flaw_hash": "3765405848", + "flaw_hash_count": 2, + "flaw_hash_ordinal": 1, + "cause_hash": "153293750", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "2866949028", + "cause_hash2_ordinal": "1" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + }, + { + "title": "java.sql.Statement.executeQuery", + "issue_id": 1016, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/UserController", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlMyEvents. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/UserController.java", + "upload_file": "com/veracode/verademo/controller/UserController.java", + "line": 496, + "function_name": "showProfile", + "qualified_function_name": "com.veracode.verademo.controller.UserController.showProfile", + "function_prototype": "java.lang.String showProfile(@org.springframework.web.bind.annotation.RequestParam(value\u003d\u0027type\u0027, required\u003d0) java.lang.String, org.springframework.ui.Model, javax.servlet.http.HttpServletRequest)", + "scope": "com.veracode.verademo.controller.UserController" + } + }, + "flaw_match": { + "procedure_hash": "1695726047", + "prototype_hash": "931230983", + "flaw_hash": "3392777041", + "flaw_hash_count": 3, + "flaw_hash_ordinal": 2, + "cause_hash": "1176028798", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "5" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + }, + { + "title": "java.sql.PreparedStatement.executeQuery", + "issue_id": 1025, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/UserController", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/UserController.java", + "upload_file": "com/veracode/verademo/controller/UserController.java", + "line": 507, + "function_name": "showProfile", + "qualified_function_name": "com.veracode.verademo.controller.UserController.showProfile", + "function_prototype": "java.lang.String showProfile(@org.springframework.web.bind.annotation.RequestParam(value\u003d\u0027type\u0027, required\u003d0) java.lang.String, org.springframework.ui.Model, javax.servlet.http.HttpServletRequest)", + "scope": "com.veracode.verademo.controller.UserController" + } + }, + "flaw_match": { + "procedure_hash": "1695726047", + "prototype_hash": "931230983", + "flaw_hash": "1480817290", + "flaw_hash_count": 3, + "flaw_hash_ordinal": 3, + "cause_hash": "2866949028", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "4" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + }, + { + "title": "java.sql.PreparedStatement.executeQuery", + "issue_id": 1024, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/BlabController", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the blabberQuery object, which contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/BlabController.java", + "upload_file": "com/veracode/verademo/controller/BlabController.java", + "line": 494, + "function_name": "showBlabbers", + "qualified_function_name": "com.veracode.verademo.controller.BlabController.showBlabbers", + "function_prototype": "java.lang.String showBlabbers(@org.springframework.web.bind.annotation.RequestParam(value\u003d\u0027sort\u0027, required\u003d0) java.lang.String, org.springframework.ui.Model, javax.servlet.http.HttpServletRequest)", + "scope": "com.veracode.verademo.controller.BlabController" + } + }, + "flaw_match": { + "procedure_hash": "1426715244", + "prototype_hash": "364381741", + "flaw_hash": "1480817290", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "2866949028", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "4" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + }, + { + "title": "java.sql.Statement.executeQuery", + "issue_id": 1012, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/commands/RemoveAccountCommand", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/commands/RemoveAccountCommand.java", + "upload_file": "com/veracode/verademo/commands/RemoveAccountCommand.java", + "line": 40, + "function_name": "execute", + "qualified_function_name": "com.veracode.verademo.commands.RemoveAccountCommand.execute", + "function_prototype": "void execute(java.lang.String)", + "scope": "com.veracode.verademo.commands.RemoveAccountCommand" + } + }, + "flaw_match": { + "procedure_hash": "2052213374", + "prototype_hash": "27480697", + "flaw_hash": "3392777041", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "1176028798", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "5" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + }, + { + "title": "java.sql.Statement.execute", + "issue_id": 1007, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/commands/RemoveAccountCommand", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/commands/RemoveAccountCommand.java", + "upload_file": "com/veracode/verademo/commands/RemoveAccountCommand.java", + "line": 47, + "function_name": "execute", + "qualified_function_name": "com.veracode.verademo.commands.RemoveAccountCommand.execute", + "function_prototype": "void execute(java.lang.String)", + "scope": "com.veracode.verademo.commands.RemoveAccountCommand" + } + }, + "flaw_match": { + "procedure_hash": "2052213374", + "prototype_hash": "27480697", + "flaw_hash": "239218340", + "flaw_hash_count": 6, + "flaw_hash_ordinal": 4, + "cause_hash": "1176028798", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "3" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + }, + { + "title": "java.sql.Statement.execute", + "issue_id": 1009, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/commands/RemoveAccountCommand", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/commands/RemoveAccountCommand.java", + "upload_file": "com/veracode/verademo/commands/RemoveAccountCommand.java", + "line": 51, + "function_name": "execute", + "qualified_function_name": "com.veracode.verademo.commands.RemoveAccountCommand.execute", + "function_prototype": "void execute(java.lang.String)", + "scope": "com.veracode.verademo.commands.RemoveAccountCommand" + } + }, + "flaw_match": { + "procedure_hash": "2052213374", + "prototype_hash": "27480697", + "flaw_hash": "239218340", + "flaw_hash_count": 6, + "flaw_hash_ordinal": 6, + "cause_hash": "1176028798", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "3" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + }, + { + "title": "java.sql.Statement.executeQuery", + "issue_id": 1011, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/commands/ListenCommand", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/commands/ListenCommand.java", + "upload_file": "com/veracode/verademo/commands/ListenCommand.java", + "line": 40, + "function_name": "execute", + "qualified_function_name": "com.veracode.verademo.commands.ListenCommand.execute", + "function_prototype": "void execute(java.lang.String)", + "scope": "com.veracode.verademo.commands.ListenCommand" + } + }, + "flaw_match": { + "procedure_hash": "1600354578", + "prototype_hash": "2344031398", + "flaw_hash": "3392777041", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "1176028798", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "5" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + }, + { + "title": "java.sql.Statement.execute", + "issue_id": 1006, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/commands/ListenCommand", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/commands/ListenCommand.java", + "upload_file": "com/veracode/verademo/commands/ListenCommand.java", + "line": 47, + "function_name": "execute", + "qualified_function_name": "com.veracode.verademo.commands.ListenCommand.execute", + "function_prototype": "void execute(java.lang.String)", + "scope": "com.veracode.verademo.commands.ListenCommand" + } + }, + "flaw_match": { + "procedure_hash": "1600354578", + "prototype_hash": "2344031398", + "flaw_hash": "239218340", + "flaw_hash_count": 4, + "flaw_hash_ordinal": 4, + "cause_hash": "1176028798", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "3" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + }, + { + "title": "java.sql.Statement.executeQuery", + "issue_id": 1010, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/commands/IgnoreCommand", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/commands/IgnoreCommand.java", + "upload_file": "com/veracode/verademo/commands/IgnoreCommand.java", + "line": 40, + "function_name": "execute", + "qualified_function_name": "com.veracode.verademo.commands.IgnoreCommand.execute", + "function_prototype": "void execute(java.lang.String)", + "scope": "com.veracode.verademo.commands.IgnoreCommand" + } + }, + "flaw_match": { + "procedure_hash": "592522510", + "prototype_hash": "154563142", + "flaw_hash": "3392777041", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "1176028798", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "5" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + }, + { + "title": "java.sql.Statement.execute", + "issue_id": 1005, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/commands/IgnoreCommand", + "gob": "B", + "severity": 4, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", + "cwe_id": "89", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/SQL_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/commands/IgnoreCommand.java", + "upload_file": "com/veracode/verademo/commands/IgnoreCommand.java", + "line": 47, + "function_name": "execute", + "qualified_function_name": "com.veracode.verademo.commands.IgnoreCommand.execute", + "function_prototype": "void execute(java.lang.String)", + "scope": "com.veracode.verademo.commands.IgnoreCommand" + } + }, + "flaw_match": { + "procedure_hash": "592522510", + "prototype_hash": "154563142", + "flaw_hash": "239218340", + "flaw_hash_count": 4, + "flaw_hash_ordinal": 4, + "cause_hash": "1176028798", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "3" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/89.html" + } + ], + "selected_modules": [], + "engine_version": "20250924195751", + "pipeline_scan": "25.2.0-0", + "dev_stage": "DEVELOPMENT" +} \ No newline at end of file diff --git a/resultsVH.json b/resultsVH.json new file mode 100644 index 00000000..12d07f0a --- /dev/null +++ b/resultsVH.json @@ -0,0 +1,191 @@ +{ + "_links": { + "root": { + "href": "/" + }, + "self": { + "href": "/scans/80ecac7e-dc19-4ea0-9122-dd10d247f89c/findings" + }, + "help": { + "href": "https://docs.veracode.com/" + } + }, + "scan_id": "80ecac7e-dc19-4ea0-9122-dd10d247f89c", + "scan_status": "SUCCESS", + "message": "Scan successful. Results size: 431723 bytes", + "modules": [ + "verademo.war", + "JS files within verademo.war" + ], + "modules_count": 2, + "findings": [ + { + "title": "java.lang.Runtime.exec", + "issue_id": 1197, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/ToolsController", + "gob": "B", + "severity": 5, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)", + "cwe_id": "78", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis call to java.lang.Runtime.exec() contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to exec() contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eValidate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a \"safe\" version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/78.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/Command_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/ToolsController.java", + "upload_file": "com/veracode/verademo/controller/ToolsController.java", + "line": 56, + "function_name": "ping", + "qualified_function_name": "com.veracode.verademo.controller.ToolsController.ping", + "function_prototype": "java.lang.String ping(java.lang.String)", + "scope": "com.veracode.verademo.controller.ToolsController" + } + }, + "flaw_match": { + "procedure_hash": "3149804519", + "prototype_hash": "2923252499", + "flaw_hash": "3051621651", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "221330682", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1487712924", + "cause_hash2_ordinal": "1" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/78.html" + }, + { + "title": "java.lang.Runtime.exec", + "issue_id": 1198, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/ToolsController", + "gob": "B", + "severity": 5, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)", + "cwe_id": "78", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis call to java.lang.Runtime.exec() contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to exec() contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eValidate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a \"safe\" version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/78.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/Command_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/ToolsController.java", + "upload_file": "com/veracode/verademo/controller/ToolsController.java", + "line": 59, + "function_name": "ping", + "qualified_function_name": "com.veracode.verademo.controller.ToolsController.ping", + "function_prototype": "java.lang.String ping(java.lang.String)", + "scope": "com.veracode.verademo.controller.ToolsController" + } + }, + "flaw_match": { + "procedure_hash": "3149804519", + "prototype_hash": "2923252499", + "flaw_hash": "1314945025", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "3320331067", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1835631409", + "cause_hash2_ordinal": "1" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/78.html" + }, + { + "title": "java.lang.Runtime.exec", + "issue_id": 1195, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/ToolsController", + "gob": "B", + "severity": 5, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)", + "cwe_id": "78", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis call to java.lang.Runtime.exec() contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to exec() contains tainted data from the variables (new String\\[...\\]). The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eValidate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a \"safe\" version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/78.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/Command_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/ToolsController.java", + "upload_file": "com/veracode/verademo/controller/ToolsController.java", + "line": 91, + "function_name": "fortune", + "qualified_function_name": "com.veracode.verademo.controller.ToolsController.fortune", + "function_prototype": "java.lang.String fortune(java.lang.String)", + "scope": "com.veracode.verademo.controller.ToolsController" + } + }, + "flaw_match": { + "procedure_hash": "2161030689", + "prototype_hash": "3827778930", + "flaw_hash": "3753823106", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "4165693487", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "3322588175", + "cause_hash2_ordinal": "1" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/78.html" + }, + { + "title": "java.lang.Runtime.exec", + "issue_id": 1196, + "image_path": "file:/tmp/tmp20yxk2jr/binary/verademo.veracodegen.vc.war#zip:com/veracode/verademo/controller/ToolsController", + "gob": "B", + "severity": 5, + "issue_type_id": "taint", + "issue_type": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)", + "cwe_id": "78", + "exploit_level": "0", + "display_text": "\u003cspan\u003eThis call to java.lang.Runtime.exec() contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to exec() contains tainted data from the variable cmd. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eValidate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a \"safe\" version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/78.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://owasp.org/www-community/attacks/Command_Injection\"\u003eOWASP\u003c/a\u003e\u003c/span\u003e", + "files": { + "source_file": { + "file": "com/veracode/verademo/controller/ToolsController.java", + "upload_file": "com/veracode/verademo/controller/ToolsController.java", + "line": 94, + "function_name": "fortune", + "qualified_function_name": "com.veracode.verademo.controller.ToolsController.fortune", + "function_prototype": "java.lang.String fortune(java.lang.String)", + "scope": "com.veracode.verademo.controller.ToolsController" + } + }, + "flaw_match": { + "procedure_hash": "2161030689", + "prototype_hash": "3827778930", + "flaw_hash": "3707028537", + "flaw_hash_count": 1, + "flaw_hash_ordinal": 1, + "cause_hash": "2620704574", + "cause_hash_count": 1, + "cause_hash_ordinal": 1, + "cause_hash2": "1522093433", + "cause_hash2_ordinal": "5" + }, + "stack_dumps": { + "stack_dump": [ + {} + ] + }, + "flaw_details_link": "https://downloads.veracode.com/securityscan/cwe/v4/java/78.html" + } + ], + "selected_modules": [], + "engine_version": "20250924195751", + "pipeline_scan": "25.2.0-0", + "dev_stage": "DEVELOPMENT" +} \ No newline at end of file diff --git a/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java b/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java index 51df35ed..e96d6bdc 100644 --- a/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java +++ b/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java @@ -36,15 +36,21 @@ public void execute(String blabberUsername) { sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'"; Statement sqlStatement = connect.createStatement(); - logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); +sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; +PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); +logger.info(sqlQuery); +sqlStatement2.setString(1, blabberUsername); +ResultSet result = sqlStatement2.executeQuery(); result.next(); /* START BAD CODE */ - String event = username + " is now ignoring " + blabberUsername + "(" + result.getString(1) + ")"; - sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")"; - logger.info(sqlQuery); - sqlStatement.execute(sqlQuery); +String event = username + " is now ignoring " + blabberUsername + "(" + result.getString(1) + ")"; +sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)"; +logger.info(sqlQuery); +PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); +sqlStatement2.setString(1, username); +sqlStatement2.setString(2, event); +sqlStatement2.execute(); /* END BAD CODE */ } catch (SQLException e) { // TODO Auto-generated catch block @@ -53,3 +59,8 @@ public void execute(String blabberUsername) { } } + + +// test commit + +// more tests \ No newline at end of file diff --git a/src/main/java/com/veracode/verademo/commands/ListenCommand.java b/src/main/java/com/veracode/verademo/commands/ListenCommand.java index e80a48b4..953bf5cd 100644 --- a/src/main/java/com/veracode/verademo/commands/ListenCommand.java +++ b/src/main/java/com/veracode/verademo/commands/ListenCommand.java @@ -36,15 +36,21 @@ public void execute(String blabberUsername) { sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'"; Statement sqlStatement = connect.createStatement(); - logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); +sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; +PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); +logger.info(sqlQuery); +sqlStatement2.setString(1, blabberUsername); +ResultSet result = sqlStatement2.executeQuery(); result.next(); /* START BAD CODE -----*/ - String event = username + " started listening to " + blabberUsername + "(" + result.getString(1) + ")"; - sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")"; - logger.info(sqlQuery); - sqlStatement.execute(sqlQuery); +String event = username + " started listening to " + blabberUsername + "(" + result.getString(1) + ")"; +sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)"; +logger.info(sqlQuery); +PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); +sqlStatement2.setString(1, username); +sqlStatement2.setString(2, event); +sqlStatement2.execute(); /* END BAD CODE */ } catch (SQLException e) { // TODO Auto-generated catch block diff --git a/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java b/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java index c2211f46..b3379a2c 100644 --- a/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java +++ b/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java @@ -36,19 +36,29 @@ public void execute(String blabberUsername) { sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'"; Statement sqlStatement = connect.createStatement(); - logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); +sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; +PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); +logger.info(sqlQuery); +sqlStatement2.setString(1, blabberUsername); +ResultSet result = sqlStatement2.executeQuery(); result.next(); /* START BAD CODE ------*/ - String event = "Removed account for blabber " + result.getString(1); - sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')"; - logger.info(sqlQuery); - sqlStatement.execute(sqlQuery); +String event = "Removed account for blabber " + result.getString(1); + sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)"; + logger.info(sqlQuery); + PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); + sqlStatement2.setString(1, blabberUsername); + sqlStatement2.setString(2, event); + sqlStatement2.execute(); sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'"; logger.info(sqlQuery); - sqlStatement.execute(sqlQuery); +sqlQuery = "DELETE FROM users WHERE username = ?"; +logger.info(sqlQuery); +PreparedStatement sqlStatement2 = connect.prepareStatement(sqlQuery); +sqlStatement2.setString(1, blabberUsername); +sqlStatement2.execute(); /* END BAD CODE */ } catch (SQLException e) { diff --git a/src/main/java/com/veracode/verademo/controller/BlabController.java b/src/main/java/com/veracode/verademo/controller/BlabController.java index 24012a8f..5f390581 100644 --- a/src/main/java/com/veracode/verademo/controller/BlabController.java +++ b/src/main/java/com/veracode/verademo/controller/BlabController.java @@ -467,27 +467,22 @@ public String showBlabbers( logger.info("User is Logged In - continuing..."); Connection connect = null; - PreparedStatement blabberQuery = null; - - /* START BAD CODE */ - String blabbersSql = "SELECT users.username," + " users.blab_name," + " users.created_at," - + " SUM(if(listeners.listener=?, 1, 0)) as listeners," - + " SUM(if(listeners.status='Active',1,0)) as listening" - + " FROM users LEFT JOIN listeners ON users.username = listeners.blabber" - + " WHERE users.username NOT IN (\"admin\",?)" + " GROUP BY users.username" + " ORDER BY " + sort + ";"; - - try { - logger.info("Getting Database connection"); - // Get the Database Connection - Class.forName("com.mysql.jdbc.Driver"); - connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); - - // Find the Blabbers - logger.info(blabbersSql); - blabberQuery = connect.prepareStatement(blabbersSql); - blabberQuery.setString(1, username); - blabberQuery.setString(2, username); - ResultSet blabbersResults = blabberQuery.executeQuery(); +PreparedStatement blabberQuery = null; +String blabbersSql = "SELECT users.username, " + " users.blab_name, " + " users.created_at, " ++ " SUM(if(listeners.listener=?, 1, 0)) as listeners, " ++ " SUM(if(listeners.status='Active', 1, 0)) as listening" ++ " FROM users LEFT JOIN listeners ON users.username = listeners.blabber" ++ " WHERE users.username NOT IN (\"admin\", ?)" + " GROUP BY users.username" + " ORDER BY ?;"; +try { + logger.info("Getting Database connection"); + Class.forName("com.mysql.jdbc.Driver"); + connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); + logger.info(blabbersSql); + blabberQuery = connect.prepareStatement(blabbersSql); + blabberQuery.setString(1, username); + blabberQuery.setString(2, username); + blabberQuery.setString(3, sort); + ResultSet blabbersResults = blabberQuery.executeQuery(); /* END BAD CODE */ List blabbers = new ArrayList(); diff --git a/src/main/java/com/veracode/verademo/controller/UserController.java b/src/main/java/com/veracode/verademo/controller/UserController.java index 1cf177e1..5cdb01c7 100644 --- a/src/main/java/com/veracode/verademo/controller/UserController.java +++ b/src/main/java/com/veracode/verademo/controller/UserController.java @@ -111,7 +111,8 @@ public String showLogin( target = ""; } - logger.info("Entering showLogin with username " + username + " and target " + target); + /*logger.info("Entering showLogin with username " + username + " and target " + target);*/ + logger.info("Entering showLogin with username and target "); model.addAttribute("username", username); model.addAttribute("target", target); @@ -236,21 +237,18 @@ public String processLogin( @ResponseBody public String showPasswordHint(String username) { - logger.info("Entering password-hint with username: " + username); - - if (username == null || username.isEmpty()) { - return "No username provided, please type in your username first"; - } - - try { - Class.forName("com.mysql.jdbc.Driver"); - - Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); - - String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; - logger.info(sql); - Statement statement = connect.createStatement(); - ResultSet result = statement.executeQuery(sql); +logger.info("Entering password-hint with username: " + username); + if (username == null || username.isEmpty()) { + return "No username provided, please type in your username first"; + } + try { + Class.forName("com.mysql.jdbc.Driver"); + Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); + String sql = "SELECT password_hint FROM users WHERE username = ?"; + logger.info(sql); + PreparedStatement statement = connect.prepareStatement(sql); + statement.setString(1, username); + ResultSet result = statement.executeQuery(); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s"; @@ -314,8 +312,9 @@ public String processRegister( Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); String sql = "SELECT username FROM users WHERE username = '" + username + "'"; - Statement statement = connect.createStatement(); - ResultSet result = statement.executeQuery(sql); +PreparedStatement statement = connect.prepareStatement("SELECT username FROM users WHERE username = ?"); +statement.setString(1, username); +ResultSet result = statement.executeQuery(); if (result.first()) { model.addAttribute("error", "Username '" + username + "' already exists!"); return "register"; @@ -361,29 +360,22 @@ public String processRegisterFinish( } Connection connect = null; - Statement sqlStatement = null; - - try { - // Get the Database Connection - logger.info("Creating the Database connection"); - Class.forName("com.mysql.jdbc.Driver"); - connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); - - /* START BAD CODE */ - // Execute the query - String mysqlCurrentDateTime = (new SimpleDateFormat("yyyy-MM-dd HH:mm:ss")) - .format(Calendar.getInstance().getTime()); - StringBuilder query = new StringBuilder(); - query.append("insert into users (username, password, created_at, real_name, blab_name) values("); - query.append("'" + username + "',"); - query.append("'" + password + "',"); - query.append("'" + mysqlCurrentDateTime + "',"); - query.append("'" + realName + "',"); - query.append("'" + blabName + "'"); - query.append(");"); - - sqlStatement = connect.createStatement(); - sqlStatement.execute(query.toString()); +PreparedStatement sqlStatement = null; +try { + logger.info("Creating the Database connection"); + Class.forName("com.mysql.jdbc.Driver"); + connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); + String mysqlCurrentDateTime = (new SimpleDateFormat("yyyy-MM-dd HH:mm:ss")) + .format(Calendar.getInstance().getTime()); + String query = "insert into users (username, password, created_at, real_name, blab_name) values(?, ?, ?, ?, ?)"; + sqlStatement = connect.prepareStatement(query); + sqlStatement.setString(1, username); + sqlStatement.setString(2, password); + sqlStatement.setString(3, mysqlCurrentDateTime); + sqlStatement.setString(4, realName); + sqlStatement.setString(5, blabName); + sqlStatement.execute(); + logger.info(query); logger.info(query.toString()); /* END BAD CODE */ @@ -493,8 +485,9 @@ public String showProfile( String sqlMyEvents = "select event from users_history where blabber=\"" + username + "\" ORDER BY eventid DESC; "; logger.info(sqlMyEvents); - Statement sqlStatement = connect.createStatement(); - ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents); +PreparedStatement sqlStatement = connect.prepareStatement("select event from users_history where blabber=? ORDER BY eventid DESC"); +sqlStatement.setString(1, username); +ResultSet userHistoryResult = sqlStatement.executeQuery(); /* END BAD CODE */ while (userHistoryResult.next()) { @@ -502,10 +495,11 @@ public String showProfile( } // Get the users information - String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'"; - logger.info(sql); - myInfo = connect.prepareStatement(sql); - ResultSet myInfoResults = myInfo.executeQuery(); +String sql = "SELECT username, real_name, blab_name FROM users WHERE username = ?"; +logger.info(sql); +myInfo = connect.prepareStatement(sql); +myInfo.setString(1, username); +ResultSet myInfoResults = myInfo.executeQuery(); myInfoResults.next(); // Send these values to our View diff --git a/target/classes/com/veracode/verademo/commands/IgnoreCommand.class b/target/classes/com/veracode/verademo/commands/IgnoreCommand.class index 4ac92e34..32bf5505 100644 Binary files a/target/classes/com/veracode/verademo/commands/IgnoreCommand.class and b/target/classes/com/veracode/verademo/commands/IgnoreCommand.class differ diff --git a/target/classes/com/veracode/verademo/commands/ListenCommand.class b/target/classes/com/veracode/verademo/commands/ListenCommand.class index d074f517..1387071c 100644 Binary files a/target/classes/com/veracode/verademo/commands/ListenCommand.class and b/target/classes/com/veracode/verademo/commands/ListenCommand.class differ diff --git a/target/classes/com/veracode/verademo/commands/RemoveAccountCommand.class b/target/classes/com/veracode/verademo/commands/RemoveAccountCommand.class index 7f65294b..a6254195 100644 Binary files a/target/classes/com/veracode/verademo/commands/RemoveAccountCommand.class and b/target/classes/com/veracode/verademo/commands/RemoveAccountCommand.class differ diff --git a/target/classes/com/veracode/verademo/controller/BlabController.class b/target/classes/com/veracode/verademo/controller/BlabController.class index a13541b4..7220425c 100644 Binary files a/target/classes/com/veracode/verademo/controller/BlabController.class and b/target/classes/com/veracode/verademo/controller/BlabController.class differ diff --git a/target/classes/com/veracode/verademo/controller/UserController$1.class b/target/classes/com/veracode/verademo/controller/UserController$1.class index b6a65eb1..a3939f57 100644 Binary files a/target/classes/com/veracode/verademo/controller/UserController$1.class and b/target/classes/com/veracode/verademo/controller/UserController$1.class differ diff --git a/target/classes/com/veracode/verademo/controller/UserController.class b/target/classes/com/veracode/verademo/controller/UserController.class index a138c013..9f939184 100644 Binary files a/target/classes/com/veracode/verademo/controller/UserController.class and b/target/classes/com/veracode/verademo/controller/UserController.class differ